[Owasp-leaders] HTML5 local storage..
eoin.keary at owasp.org
Thu Dec 5 10:08:47 UTC 2013
Would a weak browser (IE6) infected with Malware be an issue here?
Certificate stores / Keystores have passwords etc but local storage does
On 5 December 2013 10:06, Eoin <eoin.keary at owasp.org> wrote:
> Hi Chris,
> What your saying is using local storage as a "certificate store" sorta
> affair? Like a keystore for auth/authz when using an app?
> On 5 December 2013 09:56, Christian Papathanasiou <
> christian.papathanasiou at owasp.org> wrote:
>> Hi everyone,
>> Assuming a domain does all the right stuff regarding XSS protection
>> (white listing, output encoding, CSP etc etc) could HTML 5 local storage
>> perhaps be a very interesting candidate for storing session cookies and
>> performing authentication/authorization?
>> Reading between the lines the following key benefits stood out for me:
>> Local storage token/cookie not transmitted over the wire hence
>> minimising opportunity of cookie theft from sniffing
>> Same origin policy means that local storage cookie will be
>> protected/relatively kimmune from CSRF attacks and hence no additional
>> effort required to CSRF tokenize forms etc.
>> Of course, if your site has XSS then local storage cookies can be
>> siphoned off or even injected but assuming for the time being that the site
>> is immune to XSS and hence the lack of http only doesn't really matter and
>> everything going over SSL by default (hence secure flag doesn't really
>> matter) would the above benefits hold true?
>> Of course the user can mangle the local storage token/cookie but that
>> would in effect not really be different to doing the same with burp proxy
>> etc as long as token/cookie is sufficiently random complex etc and unable
>> to infer other peoples session tokens for horizontal or vertical priv esc.
>> Am I missing something fundamental from a security perspective here? :-)
>> Finally are there any local storage authentication/authorization
>> frameworks out there?
>> Many thanks & kind regards,
>> Christian Papathanasiou.
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> Eoin Keary
> OWASP Member
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders